Me and Facebook (A C4utionary Tale)

Well its that time of the week in which I expose somebody (really hope this does not become a weekly “thing” XD )

We all know about Facebook and its REALLY confusing security setting’s.But sometimes I doubt whether  they actually care about user privacy at all and this is one of those situations in which a persons lack of knowledge of keeping your account in the right setting’s will end up giving away your personal data.

I would consider my most “personal” data saved on Facebook to be my mobile number as it is somewhat of a bridge interlinking both my personal and online life and I would not like people I don’t want getting a hold of it. What if I tell you 98% 83 % of your phone numbers are not safe ? .. Only those lucky enough to stumble upon this setting and actually changing it are safe from the following (correction: http://www.twitlonger.com/show/jjpl97 )

Note:Even though this is technically a “0-day” ,I do not endorse criminal use of the following POC and leaked text

UPDATE: http://facebook-phone-crawler.googlecode.com/svn/trunk/facebook-hit.py [by TBorland]  7/10/2012

——————————————————————————————————————–

UPDATE 2 : Dead! All it takes is proof and a few day’s I guess. 9/10/2012

“Their throttling now.

Trying to lookup a 10k range no longer works. After… a few hundred (at most) you get logged you out with the following message.(It has been further reduced)

“Your account has been temporarily suspended We have detected some suspicious activity coming from this IP. As a security precaution, your account has been temporarily suspended.”

“Reactivation You will have to wait 24 hours to get back into your account.”" – A tester

It appears it’s the ‘figure out how the rate limit works’ game now. Wonder if it’s really as simple as this ip in x time instead of an actual rate limit.

——————————————————————————————————————–

First let me tell how I came across this.About a month ago I was just browsing FB on my  FB mobile application and it had an option called “Find friends using contacts” ,what it does is that it compares the contact list from your phone to the FB database to see if you have any friends that are in your contacts but not on your Facebook account.

I also later figured out that simply “searching” a persons phone number(Including country code) will show you their account.Most of you will say “OH! I made my number as private so I am safe” NO YOU ARE NOT !

Let me show you how you are wrong ! Most of you would only have changed this (And this that’s the end of the line as far as your mobile is concerned)

 

492410750

 

Well FB managed to sneak in an another setting that still connects your phone number to you account.Its tucked away in your privacy setting’s

492412592


If you dint know this dont be hard on yourself ,even I dint know this setting before I found this out a month ago. I also questioned my friends and most of them did not know such a setting existed.(And MY friends are not the average joe’s ,they people from all over the tech industry)And VERY FEW knew about it. ( Also notice that the settings ends with “friends” ,WHY CANT I KEEP MY NUMBER TO MYSELF ? !!) Well my theory behind this is that,in order to get more users via phone numbers this setting is intentionally set at “everybody” by FB

 

So soon I mailed the Facebook security team telling them about a “hypothetical” way in which a person can obtain Username:Number using automated scripts. And Facebook just “meh’d it”


All further mails trying to explain the security implications were ignored !

492554946

And now I would also like to bring into attention the “Ineffectiveness” of Facebook’s security team.Not only do they not reply to mails properly some time’s they don’t bother replying at all . And there are even some cases in which a vulnerability you sent is fixed but you are not acknowledged or even notified that it is fixed.And this is not only my view but many other reputed security researchers.  I asked them to send me their bitter experiences with Facebook

——————————————————————————————————————–

Harsha Vardhan Boppana

I have taken snip of my vuln before sending http://i45.tinypic.com/30uadxl.png It is fixed and didnt get reply and for following vulns facebook did accept that it targeted few users, therefore they did not accept some vulns . They r http://www.ehackingnews.com/2012/09/facebook-vulnerability-expose-personal-info.htmlI dont understand if its target’s only a few users, then Facebook wont care ?

DISCOVERED by RAFAY BALOCH:

http://www.rafayhackingarticles.net/2012/09/facebook-open-redirection-vulnerability.html ——————————————————————————————————————– Now getting back to the vulnerability.About a month later I realized that Facebook had taken NO action’s to prevent the attack that I had proposed was possible.

 

So I sent them an another mail telling them to “Fix” it such that automated searches cannot be made  (Also to change the location of the settings so that people can actually see it and change it) Well look at the reply !

492536504

 

 

So I decided to make a very simple POC. It was just a macros script that read and saved the user names for a range of generated numbers,and send it to them Many of you might be wondering how I bypassed the “Rate limiting” by facebook. Well simple I used the mobile version ! THATS ALL!

 

Eg: http://m.facebook.com/search/?query=123456789

Replace”123456789″ with an actual mobile number  .

Generate more such URL’s (with different numbers in the end) by using Exel and I was ready

NOTE: NOT ONCE IN THE LAST FOUR DAYS WAS I BLOCKED

Now I ran the script/macros for some time.What it does is that it open’s up the page and saves the data. I can quickly sort out the “No result found” from the positive results.

Also you can attack a certain mobile carrier or location if you know the specific area codes etc

(don’t ask me to provide it for you cause I don’t want people abusing it,any person worthy of it can make it himself/herself :P)

Update: [have a look at Tyler’s script on the TOP its BETTER than my nooby script XD

492566696

I sent it to them again.THEY NEVER REPLIED !.. such is the state of the “security team” To show you the extent of such this vulnerability I will post a very small percentage of what I managed to download

Link to list:

 http://privatepaste.com/3b9c229921 (removed for proof see below picture) 

492606784

I also calculated that It would take a person with a large enough botnet (100k ) and a slightly better script(tylers will do the JOB)  just a couple of days to download the ENTIRE Username:Phonenumber list of Facebook’s 600 million users who have mobile! Out of which at least 500 million would be vulnerable.

 

Connecting a persons phone number to a name is what every advertiser dreams of and these sort of list’s would fetch a LARGE price in the black market.And would also be a HUGE breach of privacy.   So to protect yourself against this, change your settings to “My friends” and ask Facebook to provide an “Only me option” and make it such that it is the default setting for all users!.

To Facebook:

Facebook fix this soon!!.I wish it did not come to such a public exposure but you left me no choice.Also make sure that you reply to all mails and don’t ignore other security researchers!!

–Suriya

Media links(there are many more but thses ones I have checkd and approved):

http://news.softpedia.com/news/Faulty-Facebook-Privacy-Settings-Expose-User-Phone-Numbers-Researcher-Says-297424.shtml

http://datasecuritybreach.fr/actu/fuite-de-donnees-sur-facebook/ (thank Google for Google translate )

http://www.pcworld.com/article/2011396/facebooks-phone-search-can-be-abused-to-find-peoples-numbers-researchers-say.html

http://www.hotforsecurity.com/blog/facebook-privacy-is-goodbad-enough-just-flip-a-coin-3818.html

http://www.alertlogic.com/facebook-phone-abuse-the-tale-of-the-missing-rate-limit/

http://www.foxnews.com/tech/2012/10/10/facebook-lists-user-phone-numbers-for-all-to-see/

http://thenextweb.com/facebook/2012/10/10/facebook-confirms-researcher-exploited-privacy-settings-to-quickly-collect-user-phone-numbers/

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.